Identifying first contact unsolicited communications

ABSTRACT

Techniques involving identification of electronic messages that are the first contact between the sender identification and addressed recipients. One representative technique includes identifying electronic messages originating from a sender that are first contact electronic messages between the sender and targeted recipients. The sender of the electronic messages may be designated as a source of unsolicited messages if heuristics involving the first contact electronic messages indicate a distribution of unsolicited messages by the sender.

RELATED APPLICATION

This Application is a Continuation of and claims benefit from U.S. Pat.No. 8,682,990 that was issued on Mar. 25, 2014, and that is incorporatedherein by reference in its entirety.

BACKGROUND

Desktop computing devices, laptop and other portable computers,smartphones and other hand-held devices, and other electronic devicesare typically equipped to receive electronic communications, such aselectronic mail (e.g. “email”), text messages, or the like. With theadvent of large scale wireless and wireline networks, and a cornucopiaof such electronic communication devices in use over the globe, reachingother people has never been easier. Email has become one of the bestmediums for individuals, companies, advertisers or other entities tolocate a desired audience for advertisement and solicitations. However,it is often the case that the targeted recipients of such communicationsdid not solicit, nor do they want to receive, communications from suchentities. The indiscriminate distribution of such electroniccommunications is colloquially referred to as junk email, “spam,”unsolicited bulk email, etc.

Email providers, such as web-based email providers, attempt to managesuch unsolicited email on behalf of their registered users. Local emailclients may also include software to attempt to identify and filterunwanted email messages. Identifying and properly filtering unsolicitedemail and other electronic messages has proven to be a substantial task,as the sources of unsolicited email continue to seek ways to make theircommunications look legitimate, or at least to make them difficult toidentify as illegitimate.

SUMMARY

Techniques involving identification of electronic messages that are thefirst contact between the sender identification and addressedrecipients. One representative technique includes identifying electronicmessages originating from a sender that are first contact electronicmessages between the sender and targeted recipients. The sender of theelectronic messages may be designated as a source of unsolicitedmessages if heuristics involving the first contact electronic messagesindicate a distribution of unsolicited messages by the sender.

Another representative technique includes determining a ratio ofelectronic messages addressed to first contact targeted recipients to atotal number of the electronic messages identified as being sent by thesender. If the ratio exceeds a threshold, the sender of the electronicmessages is designated as a source of unsolicited messages.

Another embodiment is directed to an apparatus that includes aprocessor. A first contact determination module includes instructionsexecutable by the processor that are configured to determine whether anemail is a first contact between the email sender and a targetedrecipient. A calculation module includes instructions executable by theprocessor that are configured to calculate a value representative of aquantity of the first contact emails relative to a reference number ofemails recognized as being sent by the sender. A compare module includesinstructions executable by the processor that are configured to comparethe calculated value to a threshold to determine whether the sender willbe regarded as a source of unsolicited bulk email.

One embodiment includes one or more computer-readable media havinginstructions stored thereon that are executable by a processor. Theexecutable instructions perform various functions, including maintaininga count of a total number of emails sent by a sender and addressed totargeted recipients. Additionally, a respective record of identifiersinvolved in email communication with each of the targeted recipients ismaintained. It is determine whether the sender has previouslycommunicated with each of the targeted recipients based on a comparisonof the respective record of identifiers and an identifier of the sender.The functions further include maintaining a count of a number of emailssent to the targeted recipients that represent a first contact betweenthe sender and the respective targeted recipients. A ratio of the countof the number emails sent to the targeted recipients that represent afirst contact and the count of the total number of emails addressed tothe targeted recipients is derived. The ratio is compared to a thresholdvalue, and further emails from the sender to the targeted recipients arerestricted if the ratio exceeds the threshold value.

In particular embodiments of the functions performed by such executableinstructions, the instructions may further establish the threshold valuebased on at least a category of the sender identified from one or moreaddresses used by the sender.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram generally illustrating a representative manner foridentifying and acting on first contact unsolicited messages;

FIG. 2 is a block diagram of a representative system environment inwhich the principles described herein may be implemented;

FIG. 3 is a block diagram depicting a representative message analysismodule;

FIGS. 4A and 4B are flow diagrams illustrating representative manner foridentifying senders of electronic messages as sources of unsolicitedmessages;

FIG. 4C is a flow diagram illustrating representative variations in theidentification of message senders as sources of unsolicited messages;

FIG. 5 is a flow diagram illustrating representative variations ofparticular features described herein; and

FIG. 6 depicts a representative computing system in which the principlesdescribed herein may be implemented.

DETAILED DESCRIPTION

In the following description, reference is made to the accompanyingdrawings that depict representative implementation examples. It is to beunderstood that other embodiments and implementations may be utilized,as structural and/or operational changes may be made without departingfrom the scope of the disclosure.

The disclosure is generally directed to identifying sources ofunsolicited electronic messages. In the context of email, senders candistribute commercial or other unsolicited emails to any addressee. Assuch unsolicited emails are often sent to addresses of email recipientsunknown to the sender, the disclosure involves identifying those senderswho send some sufficient quantity of “first contact” emails relative toall emails sent by those senders to recipients tracked by the system.Upon identifying such senders, action can be taken to mitigate furthertargeting of the recipients tracked by the system.

More particularly, a wide variety of electronic devices are capable ofreceiving electronic communications. These devices range from desktopand portable computers, mobile phones, onboard systems in transportationvehicles, appliances, etc. Sources of unsolicited emails and otherelectronic communications consequently have an extremely large number ofaddressable recipients that can be targeted. However, it is often thecase that the targeted recipients of such communications did notsolicit, nor do they want to receive, such unsolicited communications.

Email systems, whether remote mail servers and other mail transferagents, and/or local email clients, may attempt to manage suchunsolicited email. Web-based email providers strive to mitigate suchcommunications on behalf of their registered users. As noted above,identifying and properly filtering unsolicited electronic messages hasproven to be a substantial task, as the sources of such communicationscontinue to seek ways to make their email look legitimate, or at leastto make their email difficult to identify as illegitimate.

In some cases, the senders of unsolicited email “spoof” the sender tomake it look as though it is a first contact between the sender andtargeted recipients. Thus, where junk email filters may have alreadyblocked a particular sender, a dodgy sender may distribute furtheremails with new sender information, thereby mimicking a first contact inan attempt to evade the junk email filters. Attempts to stop firstcontact email could result in a large number of false positives, wherelegitimate senders could be blocked and/or legitimate emails could beblocked or designated as junk/spam. Distinguishing between a legitimatesender and a first contact “spammer” can be difficult at a system levelor user level.

To address these and other problems, the disclosure provides solutionsfor at least identifying sources of unsolicited electronic messages, andin some cases taking action to mitigate receipt by targeted recipientsof further indiscriminately distributed communications. As describedherein, illegitimate message communications may be identified based onthe nature of the relationship between message senders and theirtargeted receivers. With such information, the email or other electronicmessages may be blocked, moved, or otherwise managed to mitigate thenegative impact on the targeted recipients.

Thus, among other things, techniques described in the disclosure involveidentification of electronic messages that are the first contact betweenthe sender identification and addressed recipients. One representativetechnique includes determining a ratio of electronic messages addressedto first contact targeted recipients to a total number of the electronicmessages identified as being sent by the sender. If the ratio exceeds athreshold, the sender of the electronic messages is designated as asource of unsolicited messages.

Various embodiments below relate to electronic messages such as email,instant messaging, short message service (SMS) or other text messages,and the like. The principles described herein are applicable to anyelectronic messaging technology. Representative examples describedherein may reference any one or more of these electronic messagingtechnologies, yet the principles are applicable to other messaging typesunless noted otherwise. Thus, while embodiments may be described interms of electronic mail or “email,” the operational and structuralfeatures described, herein are not limited to only this type ofelectronic communication.

Further, reference is made herein to communicated messages, which mayinclude unsolicited electronic email or messages. Electronic mail thatis not solicited, by a recipient may be referred to herein in variousways, such as unsolicited email, unsolicited bulk email (UBE), junkemail, “spam,” etc. Reference to any particular one(s) of these and/orother terms is not intended to limit the description to any particularphraseology, or to possible definitional differences of one term/phraserelative to another unless otherwise noted. It should also be noted thatthe description herein can also be applied to solicited or seeminglysolicited email as well, although representative embodiments describedherein relate to email or other messages that are unsolicited by thetargeted recipients.

FIG. 1 is a diagram generally illustrating a representative manner foridentifying and acting on first contact unsolicited messages. There maybe any number of message sending devices 100A, 100B, 100 n, etc. Thesesending devices 100A, 100B, 100 n may represent, for example, desktopcomputing devices, portable or “laptop” computing devices, servercomputing devices, smartphones and other mobile communication devices,or any other electronic device capable of communicating electronicmessages over wires and/or over-the-air (OTA).

Determining who or what represents a “sender” may be accomplished invarious manners. For example, a sender may be identified by what islisted in the “from” address field of an email or other message. Inanother embodiment, the domain of the sender's address may be used toidentify the sender. An identification of a registered entity in thesender's address can be used to identify the sender, such as autonomoussystem (ASN) prefixes, WHOIS protocol, etc. The sender's internetprotocol (IP) address may be used to identify the sender, as may a rangeof IP addresses. For example, classless inter-domain routing (CIDR)addresses/prefixes may be used to identify a sender in a range ofaddresses. Email header information or other metadata may identify asender, or contribute to the identification of a sender. Any one or moreof these representative sender identification attributes, and/or othersender identification attributes, may be used to identify the sender.

Such devices 100A, 100B, 100 n may send messages 102A, 102B, 102 naddressed to targeted recipients of the messages utilizing one or moremessage receiving devices 104. The messages 102A, 102B, 102 n representany type of electronic message, including but not limited to electronicmail (email), text messages, instant messaging messages and/or otherforms of addressable electronic communications. While many messages102A, 102B, 102 n are welcomed by a user(s) of the message receivingdevice(s) 104, in many cases the messages are unsolicited. Such messagesare colloquially referred to as “junk mail,” “spam” “unsolicited bulkmail,” “unsolicited messages,” or other similarly suggestive terms inthe electronic communications area.

In an effort to reduce the amount of such unsolicited messages, thedisclosure describes techniques for recognizing certain communicationsas unsolicited based at least on the nature of the relationship betweenmessage senders and their targeted receivers. In one embodiment, amessage analysis module 106 may determine that a sufficiently highnumber of electronic messages sent by a sender (e.g. message sendingdevice 100A), relative to all electronic messages sent by that sender,are directed to recipients that the sender has not previouslycommunicated with. If such a determination is made, in one embodiment itis presumed that the sender is distributing unsolicited messages torecipients to which no preexisting relationship exists. A large ratio ofsuch “first contact” messages originating from a sender may be viewed asevidence of that sender being a source of spam or other unsolicitedmessages. Even where a “spammer” continually changes the name in the“from” field or other identification of the originator to avoid otherspam filters looking for repeat offenders, the techniques describedherein can identify that sender as a “spammer,” as the targetedrecipients will appear as first contacts with respect to the neworiginator name.

Messages are often directed to targeted recipients by way of anintermediary server(s). For example, a mail server may accept emaildirected to the message receiving device 104, and make that emailavailable to the message receiving device 104. The representativefunctions of the message analysis module 106 may be implemented anywherealong the path of the communicated messages. For example, functionsdepicted in the representative message analysis module 106 may beimplemented at a message serving apparatus such as a mail server,message proxy or other intermediary device logically in the path from amessage sending device 100A to the message receiving device 104. One ormore of the illustrated functions of the message analysis module 106and/or other functions for identifying unsolicited message sources asdescribed herein may also be implemented, for example, at the messagereceiving device 104 itself. Thus, while the representative messageanalysis module 106 is depicted as a distinct module for purposes ofexample, it does not suggest that it could not be integrated with otherdevices in the path of the messages.

As noted above, the representative message analysis module 106 enablessenders of a sufficiently high ratio of first contact messages to beidentified. As messages are received at the message analysis module 106,information from the messages may be used in the analysis to determinewhether a sender is communicating unsolicited messages. For example, inthe case of email and other electronic messages, a communicated message102A may identify the sender, as depicted by the sender identification108. The sender may be identified in numerous manners, such as by a“from” field, interact protocol (IP) address, associated domain, and thelike. The message 102A may also identify one or more targeted recipients110 of the message, which in one embodiment includes an address of eachtargeted recipient 110.

The illustrated message analysis module 106 illustrates a generalembodiment in which it can be determined, using at least the senderidentification 108 and targeted recipients 110, whether the sender ispresumed to be an originator of unsolicited messages. In one embodiment,each of the targeted recipients of each message 102A originating from asender identified by the sender identification(s) 108 is stored. Stateddifferently, in one embodiment, for each sender identified by a senderidentification 108, each of the recipients 110 that the sender has triedto communicate with is stored, such as in a database or other storage.

Information may also be stored for each recipient, such as depicted bythe recipient communication history 112. This communication history 112can maintain the identifications of the communicating people/entities towhich each recipient has directed a message to or received a messagefrom. For example, the recipient communication history 112 may representa database of the incoming and outgoing communications for each messagerecipient tracked by the message analysis module 106. In one example,the message analysis module 106 is used in conjunction with a mailserver(s) or other mail transfer agent(s). In such cases, the recipientcommunication history 112 may track the names, addresses or otheridentifiers of those directing messages to, or receiving messages from,the device users communicating by way of that mail server(s). Asdescribed below, the persons/entities in the communication history 112for each person communicating via the message analysis module 106 mayalso be referred to herein as the “people I communicate with,” or PICW.

For a particular sender identified by the sender identification 108, itcan be determined at block 114 whether the targeted recipient 110 of themessage 102A is the first contact with the respective targetedrecipient. For example, where the recipient communication history 112does not show any prior communication with the sender identified by thesender identification 108, it may be determined to be a “first contact”by that sender to that targeted recipient. Stated alternatively, if thesender is not part of the targeted recipient's previously-establishedPICW, it is deemed a first contact in one embodiment.

First contacts by a sender to a targeted recipient are normal in manycases, as there will be a first time in which a particular recipientwill be sent an electronic communication by a particular sender.However, where a sender is sending a large percentage of first contactemail or other messages, it is indicative of the distribution ofunsolicited messages. Heuristics involving the first contact electronicmessages can provide a indication of whether a sender is distributingspam or other junk messages. For example, one representative case mayinvolve targeted message recipients receiving what is considered to be atypical quantity of first contact emails for some period of time wherean abrupt change to that quantity of first contact emails may beindicative of a distribution of unsolicited messages by some sender(s).In other examples, the quantity of first contact messages relative tosome reference value, whether a fixed or contingent reference value, canidentify message senders as sources of unsolicited messages. Thus, asshown at block 116, first contact heuristics may be identified. If suchheuristics are indicative of a sender distributing spam or otherunsolicited messages, the sender can be designated as an origin ofunsolicited messages as depicted at block 120.

In one representative embodiment, for each sender identified by thesender identification 108, the heuristics involve identifying a ratio ofthe first contact messages relative to the total messages sent by thatrespective sender. Block 116 depicts such an embodiment. For example,the total number of recipients 110 targeted by the particular senderidentification 108 can be tracked as the “reference,” as can the numberof first contacts determined at block 114. The number of first contactscan be compared to the total number, of recipients 110 targeted by thatsender. Where the identified ratio of first contact messages to thetotal messages sent by the sender reaches a threshold as determined atblock 118, that sender may be designated as an origin of unsolicitedmessages (e.g. a “spammer”) as shown at block 120. Otherwise, if theratio does not exceed the threshold, block 120 shows that the senderwill not be designated as the origin of unsolicited messages.

As described in greater detail below, the threshold may be a staticvalue, or may be dynamic in that it may change based on other factors.For example, a higher tolerance (e.g., a higher ratio of first contactmessages relative to the total messages sent) may be afforded to sendersassociated with a well-known address domain. Alternatively, in anotherexample, a lower tolerance may be afforded to senders associated with anunknown address domain. Thus, it should be recognized that the“threshold” described herein may be established in any desired manner,including but not limited to the exemplary manners described herein.

FIG. 2 is a block diagram of a representative system environment inwhich the principles described herein may be implemented. While theexample of FIG. 2 is described in terms of email, the principles areanalogously applicable to other electronic messages. Email messages 200are received via a wireless and/or wireline network 202 at one or moremail transfer agents 204, such as one or more mail servers. The emailmessages 206 may be delivered to the email store 208 which serves asbackend storage for emails. The store 208 may also store other data foreach email user associated with the system, such as the PICW information210. In one embodiment, the PICW information 210 represents contactinformation of those already having been communicated with by eachrespective user (and potential targeted recipient) served by the mailtransfer agent 204.

For each sender of email messages 200, the mail transfer agent 204 canprovide email samples and PICW 212. For example, the email samples mayinclude any or all of the emails stored in the store 208, or may includea subset such as at least a list or other representation of therecipients targeted by a particular sender of the email messages 200.With a targeted recipient list for each sender, and the PICW information210 ultimately provided to an aggregation server(s) 214, the aggregationserver 214 can perform functions to identify whether each respectivesender is sending unsolicited emails based on at least a first contactratio. For example, in the example of FIG. 2, the aggregation server(s)214 can record the recipients targeted by each sender, can record thePICW information for each recipient/user served by the mail transferagent 204, and in response to this information can determine whethereach targeted recipient is a first contact of that sender. Theaggregation server 214 can determine the number of first contact emailssent by each sender relative to a total number of emails sent by eachrespective sender, and if the ratio is above a threshold, can designatethe respective sender as an origin of unsolicited messages (e.g. a“spammer”) or otherwise take action concerning that respective sender.

Various actions may be taken in response to a sender being designated asan origin of unsolicited messages. In one representative example, theaggregation server 214 can notify the mail transfer agent(s) 204 toblock senders from sending further unsolicited email to recipients/usersserved by the mail transfer agent(s) 204. Such an example is depicted inFIG. 2 by providing a block senders of unsolicited bulk email (UBE)notification 216 to the mail transfer agent 204.

In another exemplary action that may be taken, the mail sent by thesender designated as an origin of unsolicited email may be “timetraveled” as depicted by the time travel UBE notification 218. As usedherein, time traveling email generally refers to recognizing certainmail as spam or otherwise unsolicited after it has been added to auser's inbox, and in response thereto, moving that mail to a junk folderor otherwise disposing of it. In this manner, while the sender's emailmay not be blocked, the ability of the sender to contact targetedrecipients is limited for any subsequently-dispatched electronicmessages. In one embodiment, one or more email messages delivered to aweb-based email system inbox can be moved from the user's inbox to ajunk email folder, in response to recognizing the sender of the emailmessage(s) as an origin of unsolicited messages. Thus, the email is“time traveled” by going back in time and moving the messages that weredelivered to the user's inbox to the junk folder. In one embodiment,only mail delivered to a user's inbox since the user last logged in tohis/her email system are time traveled, although this need not be thecase. In this manner, mail is not moved once the user would have anopportunity to view it in a certain place (e.g. inbox), as it could beconfusing to a user to move email after it had been noted in aparticular place. In another embodiment, mail moved into a local emailclient is also not time traveled once it has indeed been imported intothe local email client. Again, the principles described herein areequally applicable to time traveling any mail, whether already noted ina location by a user or not, but one embodiment involves time travelingonly the email that has not yet been presented to the user in a placedifferent than where it would otherwise be moved to.

Various other actions may instead, or additionally, be implemented inresponse to recognizing a sender as an origin of unsolicited messages.Those depicted in FIG. 2 are presented for purposes of illustration.Unsolicited messages from a sender can be deleted or moved, the sendermay be blocked or warned, and/or any other desired action may be used.In one embodiment, further emails from the sender to the targetedrecipients are in some way restricted, whether by blocking, moving,deleting, or otherwise affect the disposition of the email.

FIG. 3 is a block diagram depicting another representative messageanalysis module 300 that may be separately provided, provided with anaggregation server or mail server, etc. In the example of FIG. 3, asender 302 represents any particular sender of emails (or othermessages). The sender may be identified in any fashion, such as by wayof an email “from” field, domain name, IP address, etc. Assuming in FIG.3 that the messages at issue are emails, the emails 304A, 304B may eachinclude at least recipient identification 306 of at least one recipient,a sender identification 308 of the sender, and a body 310. A database orother storage 312 can track sender identification 308 in a senders field312A. Thus, a database record or other affiliated stored information maybe stored for each received email 304, 306.

In one embodiment, the total number of emails 304, 306 sent by eachsender 302 is recorded. For example, each email originating from eachsender, such as a sender identified by sender information 308, may becounted by a counter module 314. The total number of emails sent by thesender identified by the sender identification 308 can be stored in thedatabase or other storage 312, such as shown by the total sent field312B. Other manners of counting the total emails by a sender may also beused, such as in the case there the email 304B includes multiplerecipient identifiers 306. In such case, the counter module 314 maycount each recipient identifier 306 in the email 304B, which istantamount to an equal number of individually addressed emails. Thus, inone embodiment, the total sent field 312B represents the number ofaddressees that the sender 302 (identified by the sender identification308) has attempted to contact.

It should be noted that the counter module 314, or analogous countermodules), may track any reference value(s) for comparison to the numberof first contact emails. Thus, the counter module 314 may track valuesdifferent than the total number of emails identified as being sent bythe sender 302. For example, the counter module 314 could track thenumber of emails sent in a particular time period, or in response to atrigger event, etc. Depending on the heuristics and desired reference,the counter module 314, timers, event counters, event triggerrecognition devices, and/or other components may be used to determinethe relevant heuristics for a given situation.

In the same or different database or storage 316, recipients 306targeted in the incoming emails 304A, 304B are identified in a recipientfield 316A. In one embodiment, each recipient or other user served bythe message analysis module 300 is tracked in the database/storage 316,so that those who have communicated with each recipient can be tracked.This is depicted by the PICW field 316B. The PICW field 316B can store,for each recipient in the recipient field 316A, up to all of thepersons, entities and/or other communicating sources and destinationsthat have previously communicated with that recipient. Thus, the PICWfield 316B is updated in response to the arrival of new emails 304A,304B, and in response to the respective recipient sending emails.

For a representative email 304B that has arrived at the message analysismodule 300, the recipient(s) 306 identified as addressees in that email304B are looked up in the database/storage 316. If that recipient isfound in the recipient field 316A, the associated PICW in the PICW field316B can be obtained. The obtained PICW from the PICW field 316B forthat recipient identification 306 is compared to the senderidentification 308, as depicted at decision block 318. Thus, in oneembodiment, the decision block 318 may be implemented using a comparemodule such as software configured for execution on a processor(s). Thecomparison may compare each of the entries in the PICW field 316B forthat particular recipient 316A to the sender identified by one or moreidentifying attributes in the sender identification 308. If the senderis already part of that recipient's PICW, then the sender identified bythe sender identification 308 will not be designated as an origin ofunsolicited email, as depicted at block 320.

If, however, the sender identified by the sender identification 308 isnot part of the recipient's PICW as determined at block 318, the emailfrom that sender identification 308 to that recipient identification 306is deemed a first contact between these parties. A counter module 322can count such first contacts between such parties. The counter module322 may be implemented in hardware, or software executable via aprocessor(s) to count the number of first contact emails sent by thesender identified by the sender identification 308. This will occur foreach sender 302 of emails arriving at the mail server, mail transferagent, or other entity incorporating a message analysis module 300 asdescribed herein. The “count” obtained for each sender at the countermodule 322 may store the running count of first contacts in a firstcontact field 312C of a database record or other storage entry of thedatabase/storage 312 for the respective sender in the senders field312A. In one embodiment, each record of a database 312 thereforeidentifies each sender in the senders field 312A, along with therespective total emails sent in the total sent field 312B, and thenumber of emails that are deemed “first contacts” in the first contactfield 312C.

At any time the email senders identified in the senders field 312A maybe checked to make a determination whether the stored senders are to beconsidered origins of unsolicited emails. This can be triggeredrandomly, periodically, based on trigger events, and/or in connectionwith other events and/or times. For example, in one embodiment involvinga triggering event, a calculation of the ratio of the first contactsrelative to the total emails sent by a sender may be determined wheneither the number of total emails sent and/or the number of firstcontacts changes. More particularly, a calculation of the ratio of thefirst contacts in the first contact field 312C relative to the totalemails sent from the total sent field 312B for the respective sender inthe senders field 312A may be determined at the time that the total sentfield 312B and/or first contact field 312C is updated.

In one embodiment, the ratio calculation module 324 determines the ratioof first contact emails sent relative to the total number of emails sentfor each sender being tracked. In one embodiment, all senders aretracked, although this need not be the case, as any desired subset ofsenders may be tracked, including specific senders, a random sampling ofsenders, etc. Nevertheless, in one embodiment, all senders are trackedto enable identification of each sender whose first contact emails areproportionally high enough to enable confirmation of the respectivesender as an origin of unsolicited email.

The ratio calculation module 324, as with other modules describedherein, may be implemented in hardware, firmware, or software. In oneembodiment, the ratio calculation module 324 is implemented in softwareexecutable by a processor(s) to compare the number of first contactscounted by the counter module 322 and stored in the first contact field312C for the respective sender in senders field 312A, to the totalemails sent as counted by the counter module 314 and stored in the totalsent field 312B. In one embodiment, this “comparison” may be implementedvia a mathematical division of the first contacts divided by the totalemails sent, providing a quotient that is a ratio or percentage of firstcontact emails relative to the total emails sent by each respectivesender.

A threshold may be established as depicted at block 326. In oneembodiment, the threshold is a static value, such as 90%, or 80%, etc.In such a case, if the number of first contact emails sent by aparticular sender exceeds the static threshold as determined at decisionblock 328, that sender can be designated as an origin of unsolicitedemails as depicted at block 330.

In one embodiment, the total number of emails sent, as stored in thetotal sent field 312B, also involves a threshold such that the ratiodetermined at block 328 will not designate a sender as a source ofunsolicited email unless the total number of emails sent by that senderexceeds a particular number. This is depicted by dashed line 332, whichrepresents the inclusion of the total emails sent from the total sentfield 312B as a factor in the decision at block 328. For example, it maybe established that to designate a sender as a spammer at block 330, theratio calculated by the ratio calculation module 324 is greater than90%, and the total number of emails sent by that sender exceeds 10,000.

The threshold may be established in other manners. The threshold may notbe entirely static, but may be static for certain categories of senders,for a particular time, etc. For example, a category 334 of the senderidentified in the sender identification 308 can be used to set or adjustthe threshold, whereby the threshold is established at block 326 basedon at least the category 334 of sender. While this is described ingreater detail below, the category of sender may be determined based onfactors such as, for example, the domain of the sender, the country oforigin, different classes of senders, etc.

In another embodiment, the number of domains 336 used by a sender mayimpact where the threshold is established. For example, the number ofdomains used for an identifiable sender may also be tracked in thedatabase/storage 312, and used in establishing the threshold at block326 for such a sender. As a more particular example, if a sender usesmore than one domain, or uses some threshold number of domains, thethreshold for the requisite first contact-to-total emails ratio, and/orthe total number of emails sent by that sender, may be reduced. In thismanner, establishing the threshold at block 326 may be different fordifferent senders, or different groups of senders, etc. Other factorsrepresented by block 338 can alternatively or additionally be used inestablishing the threshold for designating a sender as a source ofunsolicited email.

It should be recognized that the example of FIG. 3 involves determininga ratio of first contact-to-total sent email based on an identificationof the sender. This identification may be made based on any one or moreof the sender's single IP address, a range of IP addresses, “from”field, domain, registered entity, etc. In one embodiment, the senderidentification 308 is based on the sender's IP address, although the“from” field in the email 304B or other sender identifiers may bealternatively or additionally used. Further, the first contactdetermination at block 318 may be made for recipient information fromthe “from” field of the email 304B, although it could be based on otheridentifier(s) of the email recipient such as recipient IP address or thelike.

FIG. 4A is a flow diagram illustrating a general technique for providingthe capability to identify certain senders of electronic messages assources of unsolicited messages. Block 400 of this representativetechnique involves identifying electronic messages originating from asender that are first contact electronic messages between the sender andtargeted recipients. As shown at block 401, the sender of the electronicmessages may be designated as a source of unsolicited messages ifheuristics involving the first contact electronic messages indicate adistribution of unsolicited messages by the sender.

FIG. 4B is a flow diagram illustrating a representative manner foridentifying senders of electronic messages as sources of unsolicitedmessages using a ratio of first contact messages relative to the totalmessages known to be sent by each respective sender. Representativeblock 402B depicts an embodiment to determine a ratio of electronicmessages addressed to targeted recipients that are first contacts of thesender, relative to a total number of electronic messages identified ashaving been sent by that sender. For example, electronic messages suchas email may be identified as having been sent by a particular sender ata mail server or other mail transfer agent. In one embodiment,electronic messages sent by the sender that do not pass through the mailserver or other mail transfer agent are not considered as part of thetotal number of electronic messages, although collaboration with otherelectronic messaging systems may be implemented to enable a largerreach.

The ratio determined at block 402B may then be used to determine whetheror not the sender of electronic messages corresponding to the determinedratio is a source of unsolicited electronic messages. More particularly,block 403B illustrates an embodiment where the sender of the electronicmessages is designated as a source of unsolicited messages if the ratiodetermined at block 402B exceeds some threshold. In this manner, actionsmay be taken relative to further electronic communications by such asource of unsolicited messages, to mitigate what has been deemed as junkmail or “spam.”

FIG. 4C is a flow diagram illustrating representative variations in theidentification of message senders as sources of unsolicited messages. Inthis example, the electronic messages are assumed to be emails. Block402C involves determining a ratio of first contact emails from a senderversus a total number of emails from that sender. The example of block400B illustrates one representative manner in which such ratio may bedetermined. This example assumes that such a ratio is determined forevery sender recognized by the monitoring system, as depicted at block404. In this example, block 406 illustrates that the total number ofemails sent by each sender is counted. As previously noted, this mayinvolve counting each email sent by a sender, each sender/recipientcombination, etc. for example, if a sender delivers an email to onehundred different recipients, one embodiment involves considering thatmulti-recipient email as one hundred separate emails. In otherembodiments, each distinct email is what is counted towards the totalnumber of emails.

If the targeted recipient(s) has not previously sent/received to/fromthe sender as determined at block 408, the current email will be deemeda first contact email, which will be counted as shown at block 410 foreach sender. In one embodiment, the first contact is determined on arecipient basis, such that a single email to one hundred differentrecipients that have never previously communicated with the sender willbe counted as one hundred first contact emails. The ratio of the firstcontact emails to the total emails may be determined as shown at block412.

The calculated ratio determined at block 412 may be compared to athreshold value as depicted at block 420. In one embodiment, thisthreshold is established as shown at block 414. The threshold may befixed as shown at block 416, for example, such that the comparison atblock 420 is compared to a previously-established value. In otherembodiments, the threshold is not fixed, but rather is contingent uponone or more factors as depicted at block 418. In any case, the ratiodetermined at block 412 is compared to the threshold determined at block414, and it is determined at block 422 whether the calculated ratio ofblock 412 exceeds the established threshold. If not, block 124illustrates that the sender will not be deemed a source of unsolicitedemails. Otherwise, if the ratio of block 412 exceeds the establishedthreshold, the sender of the emails will be designated as a source ofunsolicited emails as depicted at block 403C.

FIG. 5 is a flow diagram illustrating representative variations ofparticular features described herein. The depicted variations areprovided for purposes of example, as many variations may be used inconnection with the description that are not depicted in FIG. 5. Theillustrated embodiment of FIG. 5 depicts various representative mannersat block 500 in which the sender of emails and other electronic messagesmay be identified. Email is assumed for purposes of this example,although the principles of FIG. 5 may be applied to other electronicmessages.

As shown at block 500, a sender may be identified by what is listed inthe “from” address 502 of the email. In one embodiment, the firstcontact determination is made using the “from” address of the sender,although other sender identification may be used. The “from” address 502may therefore be used as the sole criterion, or one of a plurality ofcriteria, for identifying the sender. In another embodiment, the domain504 of the sender's address may be used to identify the sender. Anidentification of a registered entity 506 in the sender's address can beused to identify the sender, such as autonomous system (ASN) prefixes,WHOIS protocol, etc. The sender's interact protocol (IP) address 508 maybe used to identify the sender, as may a range of IP addresses 510. Forexample, classless inter-domain routing (CIDR) addresses/prefixes may beused to identify a sender in a range of addresses. These and othermanners may be used to identify email senders, which can then be trackedto determine whether they are sending unsolicited emails.

At some point, a threshold 522 value is established as shown at block520. The threshold 522 may be used as a reference for determiningwhether a sender is deemed a source of unsolicited emails. In oneembodiment, the threshold 522 is contingent upon at least a category 524of sender. For example, the entire analysis of whether a sender is asource of unsolicited emails, or the threshold 522 value, may becontingent on the specific class(es) of sender under consideration.Information in the sender's address, email header, metadata and/or otherinformation may be used to determine a class of sender that can be usedto establish a category 524 to possibly impact the threshold 522. Forexample, an interact service provider (ISP) 528 or trusted providers 530may reference email from certain email providers that may be affordedsome different treatment relative to other classes. Small 532 sendershaving lower volumes may also be considered as a class, as well asunknown addresses or domains 534. Small or unknown addresses/domains, asnoted at blocks 532, 534, may be afforded some different treatmentrelative to other classes. These and/or other 536 classes may beutilized. In one embodiment, a category determination module 526 candetermine which of the available classes a sender belongs, and theresulting category 524 may then, if desired, be used to adjust thethreshold 522. In other embodiments, the class or category 524 maydetermine whether or not to even perform the first contact analysis ortake any action. Thus, in one embodiment, the threshold for restrictingfurther emails from a sender decreases as a predetermined level of trustin the category of the sender decreases.

Another factor that may impact the threshold 522 is the number ofdomains 538 the sender used as part of the first contact mailing. Forexample, sources of unsolicited emails may use multiple domains, and alarge percentage of the email may be first contact email. Thus, in oneembodiment, the number of domains 538 may impact the ratio or percentagethat triggers the “spammer” label for a sender. In a particularembodiment, the number of domains 538, category 524 and/or other 542factors may impact the threshold 522 on a sliding scale, whetherproportionally impacting the threshold 522 or not. For example, with asingle domain, a triggering ratio of first contact to total emails sentmay be 90%, where with five or ten domains the ratio may be reduced suchas to 70%, 80%, or something less than the single-domain percentage of90%. Further, as previously noted, the threshold 522 may be fixed 540,whether temporarily or permanently fixed 540.

A ratio or other relative indication is calculated as shown at block550, which may be calculated by comparing the number of first contactemails sent by a sender to the total emails sent by the sender. In oneembodiment, the first contact emails may be divided by the total emailssent to arrive at a relative number, percentage or ratio, which can beeasily compared to a fixed or adjustable threshold 522. It is determinedat block 560 whether the calculated ratio surpasses the establishedthreshold. It should be recognized that to exceed, surpass, or begreater than an established threshold may involve being greater than orequal to that threshold. Thus, if a threshold is set to 0.90, any valueof 0.90 or above may be deemed as satisfying the threshold.Alternatively, a “stated” threshold of 0.90 may actually be a thresholdof just under 0.90 (e.g. 0.89+), whereby surpassing the “actual”threshold of 0.89 (and reaching 0.90) causes the triggering event. Thus,the actual threshold value, and whether it is inclusive of its statedvalue or not, is not of particular import to the principles describedherein.

If it is determined that the ratio surpasses the established thresholdat block 560, some action may be taken as depicted by block 570. FIG. 5illustrates numerous, representative examples of actions that might betaken. It should be recognized, however, that such representativeexamples do not represent an exhaustive list, but rather are provided tofacilitate an understanding of how actions might be taken.

As shown at block 572, the sender may be blocked from any furthercommunication with recipients served by the system. For example, a mailserver or other mail transfer agent may be notified to block emails fromthat sender's IP address and/or other sender identification. In suchcase, the targeted recipients served by that system would no longerreceive email from that sender. At blocks 574 and 576, incoming emailsoriginating from the sender may be deleted or otherwise blocked. Inanother example shown at block 578, incoming emails from that sender maybe directed to the targeted recipient's junk folder or other location,rather than to the recipient's inbox. Block 580 illustrates anotherembodiment, where mail that might have been posted to a recipient'semail inbox (or other legitimate email folder) is time traveled to adifferent folder, such as a junk folder. This time traveling in essencemoves the email from a legitimate email holding folder (e.g. inbox) to afolder that suggests the email is unsolicited or “spam” (e.g. junk emailfolder). These and other actions may be taken in response to determiningthe sender to be a source of unsolicited email.

FIG. 6 depicts a representative computing apparatus or device 600 inwhich the principles described herein may be implemented. Therepresentative computing device 600 can represent any one or morecomputing devices in which emails and/or other electronic messages maybe received and processed. For example, the computing device 600 mayrepresent an aggregation server 214 as identified in FIG. 2, or a mailtransfer agent 204 of FIG. 2 where the functions of the aggregationserver 214 are integrated therein. Thus, the computing device 600represents any computing server, desktop computing device, laptop orother portable computing device, smart phone or other hand-held device,personal digital assistant, etc. The computing environment described inconnection with FIG. 6 is described for purposes of example, as thestructural and operational disclosure for identifying and/or mitigatingfirst contact spam as described herein is applicable in any computingenvironment in which email or other electronic messages may be received,and processing functionality is provided to carry out features describedherein. It should also be noted that the computing arrangement of FIG. 6may, in some embodiments, be distributed across multiple devices (e.g.mail server, aggregation server, storage, etc.).

The representative computing device 600 may include a processor 602coupled to numerous modules via a system bus 604. The depicted systembus 604 represents any type of bus structure(s) that may be directly orindirectly coupled to the various components and modules of thecomputing environment. A read only memory (ROM) 606 may be provided tostore firmware used by the processor 602. The ROM 606 represents anytype of read-only memory, such as programmable ROM (PROM), erasable PROM(EPROM), or the like.

The host or system bus 604 may be coupled to a memory controller 614,which in turn is coupled to the memory 612 via a memory bus 616. Thetechniques and embodiments described herein may be implemented insoftware that is stored in any storage, including volatile storage suchas memory 612 and/or non-volatile storage devices. FIG. 6 illustratesvarious other representative storage devices in which applications,modules, data and other information may be temporarily or permanentlystored. For example, the system bus 604 may be coupled to an internalstorage interface 630, which can be coupled to a drive(s) 632 such as ahard drive. Storage 634 is associated with or otherwise operable withthe drives. Examples of such storage include hard disks and othermagnetic or optical media, flash memory and other solid-state devices,etc. The internal storage interface 630 may utilize any type of volatileor non-volatile storage.

Similarly, an interface 636 for removable media may also be coupled tothe bus 604. Drives 638 may be coupled to the removable storageinterface 636 to accept and act on removable storage 640 such as, forexample, floppy disks, compact-disk read-only memories (CD-ROMs),digital versatile discs (DVDs) and other optical disks or storage,subscriber identity modules (SIMs), wireless identification modules(WIMs), memory cards, flash memory, external hard disks, etc. In somecases, a host adaptor 642 may be provided to access external storage644. For example, the host adaptor 642 may interface with externalstorage devices via small computer system interface (SCSI), FibreChannel, serial advanced technology attachment (SATA) or eSATA, and/orother analogous interfaces capable of connecting to external storage644. By way of a network interface 646, still other remote storage maybe accessible to the computing device 600. For example, wired andwireless transceivers associated with the network interface 646 enablecommunications with storage devices 648 through one or more networks650. Storage devices 648 may represent discrete storage devices, orstorage associated with another computing system, server, etc. (e.g.store 208 of FIG. 2). Communications with remote storage devices andsystems may be accomplished via wired local area networks (LANs),wireless LANs, and/or larger networks including global area networks(GANs) such as the Internet.

The computing device 600 may transmit and/or receive information fromexternal sources, such as to send and/or receive electronic messages.Communications between the device 600 and other devices can be effectedby direct wiring, peer-to-peer networks, local infrastructure-basednetworks (e.g., wired and/or wireless local area networks), off-sitenetworks such as metropolitan area networks and other wide areanetworks, global area networks, etc. A transmitter 652 and receiver 654are shown in FIG. 6 to depict a representative computing device'sstructural ability to transmit and/or receive electronic messages orother data in any of these or other communication methodologies. Thetransmitter 652 and/or receiver 654 devices may be stand-alonecomponents, may be integrated as a transceiver(s), may be integratedinto a different communication devices such as the network interface646, etc.

The memory 612 and/or storage 634, 640, 644, 648 may be used to storeprograms and data used in connection with the various techniques foridentifying/mitigating first contact spam as described herein. Thestorage/memory 660 represents what may be stored in any one or more ofthe memory 612, storage 634, 640, 644, 648, and/or other data retentiondevices. In one embodiment, the representative device's 600storage/memory 660 may include an operating system 662, and numerousoperational modules executable by the processor 602 for carrying outtechnical operations described herein. These operational modules may beexecuted as part of one or more applications operating on top of theoperating system 662, or one or more modules may be implementedelsewhere such as part of the operating system 662 itself. It should benoted that while modules in FIG. 6 may be described in terms of email,they are equally applicable to other electronic messages.

For example, a first contact determination module 664 may be provided todetermine whether an email(s) or other electronic message(s) from asender is a first contact to each targeted recipient of theemail/message. The first contact determination module 664 may, forexample, be implemented in software executable via the processor(s) 602.In one embodiment, the first contact determination module 664 examinesthe recipient communication history 684 which is depicted as stored data680. If the recipient communication history 684 does not show any priorcommunication with the particular sender, it may be determined to be afirst contact by that sender to that targeted recipient. Thus, the firstcontact determination module 664 is capable of determining a firstcontact email/message if the sender is not part of the targetedrecipient's previously-established PICW, shown in FIG. 6 as therecipient communication history 684.

The storage/memory 660 may also include a total email counter module 666and a first contact counter module 668, which respectively count thetotal emails from a sender to the tracked recipients, and the number ofthose emails that are first contacts with the tracked recipients. Basedon these results which may be stored as the sender first contact andtotal messages count 682, the calculation module 670 (serving as a ratiocalculation module in this example) can derive a value(s) that canrepresent the quantity of first contact emails relative to the totalnumber of emails sent by that sender. For example, the value may be aratio of the first contact emails to the total emails. It should berecognized, however, that the value may be any representation of therelative counts, such as a ratio of the total emails to the firstcontact emails, or other mathematical formula using the count values.The threshold determination module 674 determines the threshold, whethera fixed value, modifiable value, etc. In one embodiment where thethreshold is fixed, the threshold determination module may merelyrepresent a stored value (e.g. 0.90). In other embodiments, at leastclasses or categories of senders may impact the determination of thethreshold, in which case a category determination module 672 may beprovided to examine sender identification information and determinewhich of a plurality of categories the sender's email may fall into.Based on such determined category, the threshold determination module674 can adjust the threshold. The number of domains and/or other factorsmay instead, or additionally, impact the threshold value.

The calculated ratio from the calculation module 670 and the thresholdfrom the threshold determination module 674 can be compared by thecompare module 676 to determine whether the ratio meets/exceeds thethreshold value. If the threshold is exceeded, the response module 678can be invoked. The response module 678 may take some action in responseto recognizing that the sender has sent a proportionally large (or atleast reaching some fixed or calculated value) number of emails to therecipients being tracked. For example, the response module 678 may blockthe sender from further communications with recipients served by thesystem. This may be accomplished in various manners, such as sending anotification to the mail server(s) or other mail transfer agent(s) tostop receiving emails/messages from the identified sender. The responsemodule 678 may delete or block incoming emails from that sender, whichagain may be facilitated with the assistance of a mail server or mailtransfer agent. Other notifications to direct incoming messages to aparticular destination (e.g. junk folder) or to time travel certainreceived, email may provided. These are representative of the types ofactions that may be taken by the response module 678.

The modules 666-676 represent one embodiment where a ratio of firstcontact emails to the total emails identified as sent by a sender isdetermined. However, as previously noted, such a ratio is an example ofthe type of heuristics that may be used to identify senders as sourcesof spam. Other heuristics may alternatively or additionally used, suchas detecting changes in such ratios, detecting abrupt changes inincoming message volumes, detecting changes in first contact messagevolumes over time, etc. Thresholds may be adjusted based on the type ofheuristics involved, as well as other factors such as those described inconnection with FIG. 5. Thus, modules such as modules 666-676 representone exemplary embodiment of a heuristics module 679 that more generallydepicts how first contact messages may be used to identify sources ofunsolicited electronic messages.

As previously noted, the representative computing device 600 in FIG. 6is provided for purposes of example, as any computing device havingprocessing capabilities can carry out the functions described hereinusing the teachings described herein. Any one or more of these modulesmay be implemented in programs or applications, such as email clients orweb-based email systems, or other messaging systems installed locally ona user's computing device or on a server(s) capable of communicatingwith the user's computing device. These modules and data are depictedfor purposes of illustration, and do not represent an exhaustive list.Any programs or data described or utilized in connection with thedescription provided herein may be associated with the storage/memory660.

As demonstrated in the foregoing examples, embodiments described hereinfacilitate identification and mitigation of first contact spam, as wellas other features. In various embodiments, methods are described thatcan be executed on a computing device(s), such as by providing softwaremodules that are executable via a processor (which includes a physicalprocessor and/or local processor, controller, etc.). The methods mayalso be stored on computer-readable media that can be accessed and readby the processor and/or circuitry that prepares the information forprocessing via the processor. For example, the computer-readable mediamay include any digital storage technology, including memory 612,storage 634, 640, 644, 648, any other volatile or non-volatile storage,etc.

Any resulting program(s) implementing features described herein mayinclude computer-readable program code embodied within one or morecomputer-usable media, thereby resulting in computer-readable mediaenabling storage of executable functions described herein to beperformed. As such, terms such as “computer-readable medium,” “computerprogram product,” computer-readable storage, computer-readable media oranalogous terminology as used herein are intended to encompass acomputer program(s) existent temporarily or permanently on anycomputer-usable medium.

Having instructions stored on computer-readable media as describedherein is distinguishable from instructions propagated or transmitted,as the propagation transfers the instructions, versus stores theinstructions such as can occur with a computer-readable medium havinginstructions stored thereon. Therefore, unless otherwise noted,references to computer-readable media/medium having instructions storedthereon, in this or an analogous form, references tangible media onwhich data may be stored or retained.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asrepresentative forms of implementing the claims.

What is claimed is:
 1. A method performed on a computing device, themethod comprising: receiving, by the computing device via a network,electronic messages originating from a source; determining, by thecomputing device, that the received electronic messages represent firstcontacts by the source with designated recipients of the receivedelectronic messages based on communication histories of the designatedrecipients that do not show any prior communications with the source;identifying, by the computing device based on a quantity of the firstcontacts, the received electronic messages as first-contact electronicmessages; designating, by the computing device based on the identifying,the source as a source of unsolicited messages; and blocking, by thecomputing device based on the designating, incoming electronic messagesfrom the designated source.
 2. The method of claim 1 where theidentifying is further based on a change in the quantity of the firstcontacts exceeding a threshold.
 3. The method of claim 2 where thethreshold is contingent upon a classification of the source.
 4. Themethod of claim 1 where the first-contact electronic messages are sentfrom the source to the designated recipients with which the source hasno pre-existing relationship.
 5. The method of claim 1 where thefirst-contact electronic messages comprise electronic mail.
 6. Themethod of claim 1 where the blocking includes deleting the incomingelectronic messages or moving the incoming electronic messages.
 7. Themethod of claim 1 where the source is identified based on at least onenetwork address.
 8. A computing device comprising: a processor; memorycoupled to the processor; a network interface via which the computingdevice is configured to receive, via a network, electronic messagesoriginating from a source; a heuristics module via which the computingdevice is configured to: determine that the received electronic messagesrepresent first contacts by the source with designated recipients of thereceived electronic messages based on communication histories of thedesignated recipients that do not show any prior communications with thesource; identify the received electronic messages as first-contactelectronic messages based on a quantity of the first contacts; designatethe source as a source of unsolicited messages based on the identifiedfirst-contact electronic messages; and the computing device configuredto block, based on the source being designated the source of theunsolicited messages, incoming electronic messages from the designatedsource of the unsolicited messages.
 9. The computing device of claim 8where the received electronic messages are identified as first-contactelectronic messages based on a change in the quantity of the firstcontacts exceeding a threshold.
 10. The computing device of claim 9where the threshold is contingent upon a classification of the source.11. The computing device of claim 8 where the first-contact electronicmessages are sent from the source to the designated recipients withwhich the source has no pre-existing relationship.
 12. The computingdevice of claim 8 where the first-contact electronic messages compriseelectronic mail.
 13. The computing device of claim 8 where the blockedincoming electronic messages are deleted or moved.
 14. The computingdevice of claim 8 where the source is identified based on at least onenetwork address.
 15. At least one computer-readable medium thatcomprises instructions that, based on execution by a computing device,configure the computing device to perform actions comprising: receiving,by the computing device via a network, electronic messages originatingfrom a source; determining, by the computing device, that the receivedelectronic messages represent first contacts by the source withdesignated recipients of the received electronic messages based oncommunication histories of the designated recipients that do not showany prior communications with the source; identifying, by the computingdevice based on a quantity of the first contacts the received electronicmessages as first-contact electronic messages; designating, by thecomputing device based on the identifying, the source as a source ofunsolicited messages; and blocking, by the computing device based on thedesignating, incoming electronic messages from the designated source.16. The at least one computer-readable medium of claim 15 where theidentifying is based on a change in the quantity of the first contactsexceeding a threshold.
 17. The at least one computer-readable medium ofclaim 16 where the threshold is contingent upon a classification of thesource.
 18. The at least one computer-readable medium of claim 15 wherethe first-contact electronic messages are sent from the source to thedesignated recipients with which the sender has no pre-existingrelationship.
 19. The at least one computer-readable medium of claim 15where the blocking includes deleting the incoming electronic messages ormoving the incoming electronic messages.
 20. The at least onecomputer-readable medium of claim 15 where the source is identifiedbased on at least one network address, or where the first-contactelectronic messages comprise electronic mail.